Tip: Run a free scan for common Windows errors ad

re: Multiple illegal operation errors on startup Friday, May 13, 2005 at 8:21 pm Posted by dhm (990 messages posted) A search shows that several people think that Kaspersky Antivirus is the answer to the Bube. One said McAfee will not remove it. Secunia linked me to Sophos antivirus but that was a generic page. Some said only Kaspersky can do it. Kaspersky has a 30 day free trial period but it is 26Mb and 5mb for the update, which will certainly be needed since Bube is new. These are links to answers in other forums: forums.maddoktor2.com forums.techguy.org www.spywarewarrior.com On Friday, May 13, 2005 at 5:12 am, Weeian wrote: >Using win98, when I startup I get multiple illegal operation messages leading to >the crashing of the computer and having to switch off and on. The messages relate >to, to name a few, spool32, systray, stimon, thguard etc etc. Basically I cant do >anything on the computer at the moment! I am aware that I am infected with the Bube >virus and am currently trying to get rid of it. Is it likely that this recent spate >of illegal operation errors is due to that virus? Is there any way to stop it without >removing the virus? I am having difficulty removing the Bube!! Any help greatly appreciated >guys and girls. > [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 13, 2005 at 9:51 pm Posted by Ms. Eagle (33507 messages posted) If you can't do anything, you sure can't run a scan. Initially, Kapersky was the only AV that could remove Bube, but that may have changed. Can you boot into safe mode? Startup programs don't load in Safe. Those illegal operation messages are related to your startup applications, the way it looks. I would try restoring a registry backup, first, since that's easiest, quickest thing to try. That's assuming this happened in the last few days. Windows only creates 5 registry backups by default. Reboot and hold the CTRL key down, until you get the boot menu. Choose Command prompt only. At the C:\> type: scanreg /restore Press enter. Choose a date prior to this problem. A good backup will have the word "Started" before it. Then hit Enter. You should get a message that Windows successfully restored the registry. Then CTRL_ALT_DEL and see if you get back into Windows. Let us know how things go. P.S. If that doesn't do it, you should be able to choose 'Safe mode with networking support' (or similar) from the boot menu. Then go online to run a virus scan. CA eTrust 'Scan for Virus' Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Tuesday, May 17, 2005 at 1:26 am Posted by Weeian (8 messages posted) Sorry Carol, I can get onto the machine eventually so I wil be able to run a scan. HJT and post results here for help? Regards Kaspersky the problem I have is that the link to the free trial version on their site is not the free trial version!! I have DL's it several times although not through my own machine as I cant currently DL presumably due to the bube, I have DL's Kaspersky to a datastick and put it on my computer that way but when I start the program it prompts me to 'purchase a registry key'?? Any thoughts?? I have gone back to a previous registry but the startup illegal operation problem keeps coming back. [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Wednesday, May 18, 2005 at 3:27 am Posted by Weeian (8 messages posted) I have ran a HJT scan, can anyone look over it for me and confirm what I have (virus wise) if anything and what I should delete??? Is there anything on here that might explain my many illegal operation messages on startup??? HELP!!!! Logfile of HijackThis v1.99.1 Scan saved at 20:00:41, on 17/05/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\ACCSTAT.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\PTSNOOP.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE" O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Wednesday, May 18, 2005 at 10:40 am Posted by Ms. Eagle (33507 messages posted) Hi there, Yes, it's likely the infection is at causing the illegal operation messages. You didn't say, whether you ran the online virus scan I suggested? If not, please do so after fixing these entries and deleting the infected files. Please follow these instructions carefully. You'll need to make sure hidden files are visible: How to Show System Files Boot into Safe mode to fix these entries: Starting your computer in Safe mode You need to make sure Trojan Hunter, and any other prevention programs, aren't running to hinder removal. You could disable them temporarily by removing them from startup. Once in Safe mode, close ALL open windows. Run HJT, select these entries. Choose Fix checked. Close HJT. C:\WINDOWS\PTSNOOP.EXE F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing) O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Locate and delete these files: C:\WINDOWS\PTSNOOP.EXE <-- C:\WINDOWS\isrvs\desktop.exe <-- C:\WINDOWS\isrvs\ffisearch.exe <-- Run a search for this one, using Find - Files or folders. The log shows no path to it. If found, delete it. istsvc.exe Important: Before rebooting, clear your browser cache. For IE: Go into the Control Panel - Internet Options - General tab. Delete temporary internet files - choose 'delete all Offline content'. Settings - set the size of your TIF folder between 5 - 10 MB. Empty the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle Bin. Reboot normally. Then run that online virus scan and let me know the results. Install SpywareBlaster to help prevent future malware infections. (It's not a cleaner). Be sure to download updates and enable all protection. It doesn't need to be running to protect your system. Check for updates frequently: JavaCool Software It's strongly advised to use an alternative browser as your main browser. FireFox (most popular) or Opera are a couple good choices. IE has too many security issues and is very vulnerable to malware infections and hijackings. Hijackings are very rare, with other browsers. If you stay with IE, I suggest IE-Spyads, also. For other tips and suggestions, check this page below.... Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Thursday, May 19, 2005 at 5:29 am Posted by Weeian (8 messages posted) Carol, Thanks very much for your time and assistance on this problem. I must confess I didn't run the link you gave but will do so tonight after I have carried out the other instructions. I ran a program last night, registry mechanic I think it was, and it threw up like in excess of 500 problems with my registry! Unfortunately the free version of the program only removed about 100 odds of them! I also downloaded Spybot Search and Destroy although havn't ran it yet to see what it can do. I have resorted to a previous registry using the scanreg/restore method but the illegal operation messages are still coming on startup. I can get onto the computer still although sometimes I have to startup like 5 or 6 times before resorting to a previous registry just to get on!!! Perhaps you can answer a few quick questions for me: Does my HJT log show that I still have the Bube virus? If I start using Firefox and delete IE from my system will the virus go with IE? I was given this computer some time ago by a relative and really had no idea about windows updates. Someone else advised that I run my updates ASAP. So I went to the updates and there were about 45 of them! Im using dial up so no doubt you can appreciate that this will take a very very long time in downloading!!! I assume that I should continue with this anyway?? Again Carol, cheers for your help. [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Thursday, May 19, 2005 at 5:37 am Posted by Weeian (8 messages posted) Sorry Carol, forgot to mention Kaspersky's program, I had said previously that I cant seem to get a trial version of it. I have downloaded the program a few times and every time when I try to start it up I am prompted to 'purchase' a registry key for it. What the hell is a registry key? I assume that there is a fee involved as the word purchase is used? Do you know if there is a free trial version and if so do you know where I can find a link to it? Is the free trial a hoax??? [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Thursday, May 19, 2005 at 4:08 pm Posted by weeian (5 messages posted) Carol, Have donw everything that you suggested, one 'small' problem, I cant run the scan. I started to run it in normal mode, it had detected about 10 instances of viruses at different sites/places but then the good old Explorer has encountered a problem and must close down kicked in and my scan was no more! So I tried the Safe Mode with networking support but its not on my list of start up options and a quick search of the net suggests that windows 98 doesn't have that option. Any other suggestions? Is it possible to go online in safe mode? [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Thursday, May 19, 2005 at 7:44 pm Posted by Ms. Eagle (33507 messages posted) You're welcome. There's no sign of the bube virus in the log. The infections listed are "Desktop Search" hijacker and "ISTBar foistware". Under the circumstances, it might be best to 'generate a StartupList log" and post that log, also at the same time. To do that, run HijackThis and click "Open the Misc Tools section". Where it says Generate StartupList log, first choose "List also minor sections (Full)". Then click Generate StartupList log. Once the scan is finished, the log will automatically open in Notepad, etc. I wouldn't get to carried away with registry mechanic, though. It's often necessary to repair Internet Explorer once you've got things cleaned up. First, let me know how the scan goes, etc and post a new log. Forget about Kapersky, I don't know what the deal is. You've about got things cleaned up now. As for Windows updates, you should wait until the malware is cleaned up. However, not every update available applies in all circumstances. You should never install every update that's available. WMP 9, for one, which doesn't get along well on 9x systems. Don't install 'drivers' from Windows update site. The most important updates are the IE Security updates. Usually, installing the latest "cumulative" patch is sufficient. You should read the descriptions first. The best way to install those, is to download them. Then install offline, after closing all running programs and open windows. Install one at a time, rebooting in between. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 1:14 am Posted by Weeian (8 messages posted) Cheers Carol, I'll get that other HJT scan on tonight. Glad to hear theres no sign of the bube. BTW I DL'd and installed firefox last night. When I get this problem sorted is it advisable to remove IE from the computer or should I just use firefox where I can and keep IE in case it is requried? I noticed that the scan you suggested wouldn't run in Firefox, something about 'netscape' and requiring 'IE 4.0' hence I had to run it in IE. Anyways, I'll get that scan run and log posted here for your perusal. Thanks again, you really are a great help in this matter. [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 10:45 am Posted by Ms. Eagle (33507 messages posted) You'll still need to use IE on ocassion, but you can use FireFox as your main browser. Since IE is tightly integrated into Windows, it can't be completely removed without a third party program. There's no uninstaller for it. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 5:01 pm Posted by weeian (5 messages posted) Carol, Heres my startup log from HJT. Look forward to hearing from you with any further advice as I'm really strugglin now, having trouble even gettin through startup! Computer just keeps freezing on startup, took me about 7/8 goes to get on tonight, losing the will to hit the power button at times lol!! As per my earlier post, do you know if I can get online in safe mose with win98 as this seems the only way I will be able to run the virus scan you suggested? -------------------------------------------------------------------- StartupList report, 20/05/05, 18:56:17 StartupList version: 1.52.2 Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run TaskMonitor = c:\windows\taskmon.exe SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme ATIGART = c:\ati\gart\atigart.exe EnsoniqMixer = starter.exe Internet Registration = c:\program files\internet explorer\connection wizard\netcheck.exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE LoadQM = loadqm.exe ScanRegistry = c:\windows\scanregw.exe /autorun THGuard = "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE" Desktop Search = C:\WINDOWS\isrvs\desktop.exe ffis = C:\WINDOWS\isrvs\ffisearch.exe IST Service = \ISTsvc\istsvc.exe KAVPersonal50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize RegistryMechanic = C:\Program Files\Registry Mechanic\RegMech.exe /QS -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe kavsvc = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY MsnMsgr = "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background ICC2000 = C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = c:\windows\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383} [>PerUser_MSN_Clean] * StubPath = c:\windows\msnmgsr1.exe [MmoptPreferredAudioDevices] * StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_0546&PID_3155&MI_02\2USB&VID_0546&PID_3155&INST_0 [PerUser_LinkBar_URLs] * StubPath = c:\windows\COMMAND\sulfnbk.exe /L [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} [>IEPerUser] * StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=C:\WINDOWS\PTSNOOP.EXE run= -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 18/5/2005, 23:11:38) [rename] C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD -------------------------------------------------- C:\AUTOEXEC.BAT listing: CALL C:\WINDOWS\RECOVERY\CHECK.BAT LH C:\WINDOWS\COMMAND\MOUSE LH keyb uk,,c:\windows\COMMAND\keyboard.sys SET BLASTER=A220 I7 D1 T2 SET SNDSCAPE=C:\WINDOWS C:\PROGRA~1\CREATIVE\CTSND\DOSDRV\APINIT.COM -------------------------------------------------- C:\CONFIG.SYS listing: DEVICE=C:\WINDOWS\HIMEM.SYS DEVICE=C:\WINDOWS\EMM386.EXE NOEMS DOS=HIGH,UMB DEVICEHIGH=C:\WINDOWS\COMMAND\VIDE-CDD.SYS /D:CD-ROM COUNTRY=044,850,C:\WINDOWS\COMMAND\COUNTRY.SYS -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: C:\PROGRA~1\CREATIVE\CTSND\DOSDRV\APINIT LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:CD-ROM /M:10 echo. cls -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Browser Helper Objects: IE Update Class - C:\WINDOWS\isrvs\sysupd.dll (file missing) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job 609BFCEA6E7C5235.job EBF8AC596E9B9DCA.job A57C84616E7D204E.job 4A156C176E7DA174.job 7ED0CF226E7C409F.job 2ED9F1CF6E7CD83C.job 4C0D7046918B160D.job -------------------------------------------------- Enumerating Download Program Files: [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 10\DOWNLOAD.DLL CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38485.4072916667 [WScanCtl Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\WEBSCAN.DLL CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL -------------------------------------------------- End of report, 7,704 bytes Report generated in 0.310 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 5:33 pm Posted by Ms. Eagle (33507 messages posted) Ian, I can't help you here, because this discussion/thread belongs to someone else. This will only cause confusion and isn't fair to the originator of this thread. You need to start your own thread by choosing to post a 'new' message, then describe your problem. Each case is different. My instructions are to the original poster in this thread, weeian. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 5:48 pm Posted by weeian (5 messages posted) Carol, ??? Youve lost me?? I am weeian, I dont know why some posts show weeian and some show ian ingram but they are one in the same. Wee Ian, 5'6'' tall, Wee Ian, you gettin me lol. Hopefully you can continue to help me now on this thread. I did start it honestly!! Managed to run that CA scan. Here is the result, looks scary enough to me but then I don’t know much about it! I clicked ‘Cure Files’ after the scen and all the ‘infected’s changed to ‘cannot cure’ Whats next? Am I gonna have to buy some sort of virus removal program or are they free? Or is it a case of manual removal of files? Excuse my ignorance! dload.exe.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ su1111fka.exe.tcf Win32.SillyDl.ES infected C:\WINDOWS\SYSTEM\ private-zone.exe.tcf Win32.SillyDl infected C:\WINDOWS\SYSTEM\ DLOAD.EXE7773.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE1877.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE69.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE3286.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE2639.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE160.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE3496.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ SU1111~1.TCF Win32.SillyDl.ES infected C:\WINDOWS\SYSTEM\ PRIVAT~1.TCF Win32.SillyDl infected C:\WINDOWS\SYSTEM\ msxmidi.exe Win32.Bube.H infected C:\WINDOWS\ targetsaver.exe Win32.SillyDl.LC infected C:\WINDOWS\ GLF9084GLF9084.EXE Win32.SillyDl.LC infected C:\WINDOWS\ tsinstall_4_0_3_8_b17.exe Win32.SillyDl.LC infected C:\WINDOWS\ sidefind.exe.tcf Win32.SillyDl.KL infected C:\WINDOWS\ ukqql.exe.tcf Win32.SillyDl.LC infected C:\Program Files\Common Files\ukqq\ 127062.exe.tcf Win32.Tibser.G infected C:\Program Files\WebSiteViewer\ delete.bat BAT.Deltree infected C:\image\tools\ web.exe Win32.Bube.H infected C:\ 127062.exe.tcf Win32.Tibser.G infected C:\ 127062.EXE4287.tcf Win32.Tibser.G infected C:\ 127062.EXE292.tcf Win32.Tibser.G infected C:\ [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 6:34 pm Posted by Ms. Eagle (33507 messages posted) "Youve lost me?? I am weeian...." Whatcha mean "I" lost you, you lost me. Two different names, so you must have another account, with a dffierent email address? It's always best to stay with the same user name in one thread, if you can. Anyhow.... According to your StartupList log, everything I'd instructed you to fix in HJT is still there. Did you follow my previous instructions to fix those entries, delete files, etc.? Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Friday, May 20, 2005 at 7:38 pm Posted by Ms. Eagle (33507 messages posted) weeian, I need to hear it directly from you, under the same user name. Are you also posting under the name "ian ingram", and is this your post? http://www.annoyances.org/exec/forum/win98/1116576864 "I am weeian, I dont know why some posts show weeian and some show ian ingram but they are one in the same." Anyone could have posted those messages, claiming to be you. It doesn't sound like you, but I don't want to assume. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Saturday, May 21, 2005 at 10:57 am Posted by weeian (5 messages posted) Right Carol, I seem to have made a bit of a mess of this thread, sorry, I didn;t know there were rules about posting to the thread starter etc etc. So I thin I'm in now as weeian again lol. Yes the link above is mine. Re the deleted files, yes I did delete them but I'm guessing that I have gones back to another registry where they weren't deleted?? Possible??? Anyways, I'll get those files deleted again now and then run the CA scan. Sorry bout the confusion. lol, new to this site! [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Saturday, May 21, 2005 at 12:43 pm Posted by weeian (5 messages posted) Carol, I have deleted the files you advised from HJT and ran the CA scan again and the result was exactly the same as the scan last night, 24 viruses found. Do you have any idea how I am going to get rid of these beasties? dload.exe.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ su1111fka.exe.tcf Win32.SillyDl.ES infected C:\WINDOWS\SYSTEM\ private-zone.exe.tcf Win32.SillyDl infected C:\WINDOWS\SYSTEM\ DLOAD.EXE7773.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE1877.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE69.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE3286.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE2639.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE160.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ DLOAD.EXE3496.tcf Win32.Tibser.P infected C:\WINDOWS\SYSTEM\ SU1111~1.TCF Win32.SillyDl.ES infected C:\WINDOWS\SYSTEM\ PRIVAT~1.TCF Win32.SillyDl infected C:\WINDOWS\SYSTEM\ msxmidi.exe Win32.Bube.H infected C:\WINDOWS\ targetsaver.exe Win32.SillyDl.LC infected C:\WINDOWS\ GLF9084GLF9084.EXE Win32.SillyDl.LC infected C:\WINDOWS\ tsinstall_4_0_3_8_b17.exe Win32.SillyDl.LC infected C:\WINDOWS\ sidefind.exe.tcf Win32.SillyDl.KL infected C:\WINDOWS\ ukqql.exe.tcf Win32.SillyDl.LC infected C:\Program Files\Common Files\ukqq\ 127062.exe.tcf Win32.Tibser.G infected C:\Program Files\WebSiteViewer\ delete.bat BAT.Deltree infected C:\image\tools\ web.exe Win32.Bube.H infected C:\ 127062.exe.tcf Win32.Tibser.G infected C:\ 127062.EXE4287.tcf Win32.Tibser.G infected C:\ 127062.EXE292.tcf Win32.Tibser.G infected C:\ [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Saturday, May 21, 2005 at 1:55 pm Posted by Ms. Eagle (33507 messages posted) Don't worry about the name confusion, but I just had to know for sure. You didn't break any rules, and why would you think anything of it. It seemed unlikely it was anyone else considering, but we often have problems with posters hijacking someone else threads, and it's really annoying. These downloader trojans are very difficult to deal with, as they continue to download and install more malware, each time you log on to the net. The file names are random. As you can see, the infected files listed are in various locations. While you can try tracking each one down and deleting them, it's not that simple to clear it all up. As you've found out, your system just gets reinfected. Here's a description of one of those trojans: "Win32.SillyDl is a family of trojans that act as downloaders." http://secunia.com/virus_information/10588/win32.sillydl/ I'm not experienced enough to deal with some of these advanced malwares. Removal procedures can be quite complex. I suggest you get "expert" help on a malware support forum. This is a newer forum and won't be nearly as busy as some of the others. The wait won't be as long, because many of the forums are swamped with serious malware problems. Post a message noting your problem, and what cleaning you've done so far. http://forum.malwareremoval.com/ Hang in there, and good luck, wee Ian. :-) P.S. a few other popular forums, but they're likely quite busy: CastleCops forums Spyware Warrior forum cexx.org discussion boards Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Monday, May 23, 2005 at 1:16 am Posted by Weeian (8 messages posted) Carol, Thanks for all your help so far on this. On Saturday night I lost the plot and ran a re-load disk in the computer thereby of course scrubbing it back to the way it was when it came out of the box. I have lost all the music I had stored on media player and some photos of my kids that I had stored, which is quite upsetting, but I am hoping that I have removed the viruses from the machine. All is in perfect working order now, with uninterrupted startup every time. I have downloaded Firefox again to use as my main browser. I assume that this action will have removed the viruses? Can you give me any advice on how to keep them out now? Should I start another thread on that topic? [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Tuesday, July 12, 2005 at 12:34 pm Posted by joey (1 messages posted) i have an illegal operation when i start windows it doesnt let me load my desktop items it saids illegal operation and when i click the X or close button my computer shutsdown. what should i do even in safemode it loads but it still saids illegal operation and i cant enter curtin things like the internet and some other programs. thats why im at my girlfriends writing this message so you can help me correct the problem. [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Tuesday, July 12, 2005 at 1:48 pm Posted by Ms. Eagle (33507 messages posted) Please start a new thread describing your problem. You're more likely to get help that way, rather than posting in an older thread. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Sunday, August 21, 2005 at 1:16 pm Posted by Pascale (3 messages posted) Dear Carol, I was without my computer since June due to illegal operation message and no start up menu not even in Safe Mode. I tried everything, but was reluctant to use the restore pack as I did not want to lose all my data as I had no backup. However, I was absolutely amazed when on following your advice re Command Prompt, my computer was fully restored to normal again within 2 minutes. You're certainly very knowledgeable and know what you're talking about regarding computers. Many many thanks. I was dreading what a repair man was going to charge me but could see no other option until I read this article of yours. The bonus being I have all my original data intact. Thank you again. Pascale. On Friday, May 13, 2005 at 9:51 pm, Carol J wrote: > >If you can't do anything, you sure can't run a scan. Initially, Kapersky was the >only AV that could remove Bube, but that may have changed. Can you boot into safe >mode? Startup programs don't load in Safe. Those illegal operation messages are related >to your startup applications, the way it looks. > >I would try restoring a registry backup, first, since that's easiest, quickest thing >to try. That's assuming this happened in the last few days. Windows only creates >5 registry backups by default. Reboot and hold the CTRL key down, until you get the >boot menu. > >Choose Command prompt only. At the C:\> type: scanreg /restore Press enter. >Choose a date prior to this problem. A good backup will have the word "Started" before >it. Then hit Enter. You should get a message that Windows successfully restored the >registry. Then CTRL_ALT_DEL and see if you get back into Windows. Let us know how >things go. > >P.S. If that doesn't do it, you should be able to choose 'Safe mode with networking >support' (or similar) from the boot menu. Then go online to run a virus scan. >href="http://www3.ca.com/securityadvisor/virusinfo/scan.aspx"> >CA eTrust 'Scan for Virus' > > > >color="003399">Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Thursday, August 25, 2005 at 6:53 pm Posted by Ms. Eagle (33507 messages posted) You're very welcome. I'm glad it was of help to you, and thanks so much for letting me know! Restoring a registry backup can bail us out of a number of problems, but not always. It's too bad you didn't post for help on the forums before. Next time you have trouble, just stop in and post a new message and hopefully someone will be able to help. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] re: Multiple illegal operation errors on startup Monday, November 28, 2005 at 9:41 am Posted by TechnoTrix'd (1 messages posted) Just to echo what was posted in August, I found this "thread" through a google search. I had the Ptsnoop exe on my system and my registry files had become corrupted over the weekend. Great "tip" on how to restore the registry files, once I did that I was back up and running. I have since followed your links to the mvps.org and have done extensive layering of the various anti-spyware solutions (i.e. host file, spyware tool, etc..) to all of my home machines. Again, just wanted to drop a heart-felt thank-you to Carol for all of her help to the greater community.. Peace......Rob On Thursday, August 25, 2005 at 6:53 pm, Carol J wrote: > >You're very welcome. I'm glad it was of help to you, and thanks so much for letting >me know! > >Restoring a registry backup can bail us out of a number of problems, but not always. >It's too bad you didn't post for help on the forums before. > >Next time you have trouble, just stop in and post a new message and hopefully someone >will be able to help. >alt="Image hosted by Photobucket.com"> > > > >color="003399">Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows 98 Discussion Forum